BreachBytes

Net/FSE has received coverage from IT Network World Canada posting it to their available downloads.  And in regard to our not returning their call, yes we have returned their call (albeit a little late).

An article written by my partner Ben Uphoff has been published by (IN)SECURE Magazine. Scroll down to page 68 for the full text of the article.

Ben has done a great job of outlining what it takes to perform effective incident investigation using Net/FSE for in-depth alert analysis. I’d like to outline some of the snippets from the article that support the point that network intrusions, breaches and incidents are inevitable and the only way to perform proper incident investigation is to “keep it all.”

A core belief at Packet Analytics is that despite the best efforts of security vendors and practitioners, incidents are inevitable. There are simply too many threats and too many angles of attack. Technology on enterprise networks evolves so quickly that it is nearly impossible to keep up with the ever-changing threat landscape. For this reason, network breaches and security incidents must be seen as part of doing business in a connected world. Enterprises can mitigate the risk of a breach by following best practices and preparing a comprehensive incident response and recovery plan.

One challenge with working with network event data is that you can never be sure what event information is relevant until after the fact. For example, enterprises did not see value in storing DNS logs until DNS exfiltration attacks started appearing. With no historical log of DNS activity, those that fell victim to such attacks had no way of definitively knowing the extent of the data leakage resulting from the breach.

Contrary to the “keep it all” approach, SIMs try to reduce data volume at the collection points by aggregating similar events into statistical summaries that are then fed into the correlation engine, losing potentially valuable information in the process. Summaries are useful for the correlation engine but not for deep analysis of network events

We look forward to starting a dialog on the “keep it all” strategy and how we can improve the effectiveness of security and network operations in performing Network Event Analysis. Please post a comment.

According to SC Magazine Australia, MTV experienced a breach compromising the confidential information of over 5,000 employees.

…it appears an employee may have fallen victim to a social engineering trick that allowed a trojan to be installed on his or her machine.”

Interestingly, more and more breaches are as a result of tactics to dupe unsuspecting employees with access to corporate credentials as is the case with this latest breach.

Our company Packet Analytics will be exhibiting at the 2008 InfoSec World Conference & Expo. You can see live demonstrations of the Net/FSE software and there will be a drawing for an iPod Touch. If you will be attending the conference be sure to stop by booth 414 and say ‘Hi’ and enter the drawing!

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes - across all three years - it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

(more…)